On Thu, 2 Aug 2001, phil wrote: Hi, This bug is hardly to exploit remotely, you'd need to upload a file that can be read by the CGi script. If attacker can do that, your config is messed up anyways. The cgi-script must be corrected, thats all; no need to filter REFERRER. We are working on it. Sebastian
How do we filter this HTTP_REFERER ?
---------- Forwarded Message ---------- Return-path:
Received: from outgoing.securityfocus.com [66.38.151.6] by osbtown.com [208.1.39.12] with SMTP (MDaemon.v3.5.7.R) for ; Thu, 02 Aug 2001 02:07:44 -0700 Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by outgoing.securityfocus.com (Postfix) with QMQP id 91D31259B0B; Wed, 1 Aug 2001 23:20:43 -0600 (MDT) Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm Precedence: bulk List-Id: List-Post: mailto:bugtraq@securityfocus.com List-Help: mailto:bugtraq-help@securityfocus.com List-Unsubscribe: mailto:bugtraq-unsubscribe@securityfocus.com List-Subscribe: mailto:bugtraq-subscribe@securityfocus.com Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com Received: (qmail 3141 invoked from network); 1 Aug 2001 23:16:53 -0000 Date: Thu, 2 Aug 2001 01:09:42 +0200 (CEST) From: Maurycy Prodeus X-Sender: z33d@cubx.elando.pl To: bugtraq@securityfocus.com Subject: suse: sdbsearch.cgi vulnerability Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-MDRcpt-To: phil@osbtown.com X-MDRemoteIP: 66.38.151.6 X-Return-Path: bugtraq-return-1479-phil=osbtown.com@securityfocus.com X-MDaemon-Deliver-To: phil@osbtown.com Reply-To: bugtraq-return-1479-phil=osbtown.com@securityfocus.com Status: R X-Status: N Hello, I found weakness in sdbsearch.cgi script which is a part of Suse distribution. This is perl script and since Suse 7.1 they have introduced some form of protection (interpreter is called with tainting checking). However, I think it isn't enough and this bug still may produce danger.
Sdbsearch.cgi trusts content of HTTP_REFERER variable which is set by client side during http's requests. Piece of this data is used to locating file with keywords and referenced files. If there is possiblity to put such file on attacked host (i.e. upload through ftpd) with special content, sdbsearch will use open() to get access to match files. So we can make standard open() pipe based attack (only without -T option). Name of uploaded file has to be "keylist.txt" because we manipulate only on pathname, using double dots.
Proof of concept is very simple, just create harmful keylist.txt for instance in /tmp directory and send request to http server like this:
GET /cgi-bin/sdbsearch.cgi?stichwort=keyword HTTP/1.0 Referer: http://szachy.org/../../../../../tmp (very deep traversal because we don't know what is DOCUMENT_ROOT)
and an example content of our /tmp/keylist.txt create like this: $ echo -e "keyword\0touch exploitable|" > /tmp/keylist.txt
After successful attempt there will be "exploitable" file in /tmp directory.
Affected system: Suse 6.x 7.x (7.1 and 7.2 have tainting protection, but even then we can pass sdbsearch files which shouldn't be read) Patch: Just filter HTTP_REFERER variable.
- z33d
-- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@suse.de - SuSE Security Team ~